About ForgeRock Identity Management Software

ForgeRock Identity Platform™ serves as the basis for
our simple and comprehensive Identity and Access Management solution.
We help our customers deepen their relationships with their customers,
and improve the productivity and connectivity of their employees and partners.
For more information about ForgeRock and about the platform, see https://www.forgerock.com.

The ForgeRock Common REST API works across the platform to provide
common ways to access web resources and collections of resources.

Several samples are provided to familiarize you with the IDM
features. For more information, see
"Overview of the Samples" in the Samples Guide.

For an architectural overview and a high-level presentation of IDM,
see "Architectural Overview" in the Integrator's Guide.

Chapter 1. What's New

This chapter covers new capabilities in the current release of ForgeRock Identity Management.

1.1. Patch Bundle Releases

ForgeRock patch bundle releases contain a collection of fixes and minor RFEs that have been grouped together and released
as part of our commitment to support our customers. For general information on ForgeRock's maintenance and patch releases,
see Maintenance and Patch Availability Policy.

The release can be deployed as an initial deployment or updated from an existing 6.5 deployment. IDM 6.5 is available for download at the
ForgeRock Backstage website: IDM 6.5.

1.2. New Features

This release of ForgeRock Identity Management software includes the
following new features:

IDM 6.5.0.3

There are no new features in this release, only bug fixes.

IDM 6.5.0.2

There are no new features in this release, only bug fixes.

IDM 6.5.0.1

There are no new features in this release, only bug fixes.

IDM 6.5.0

Delegated Administration Capabilities

IDM 6.5.0 supports delegated
administration, through a privilege model. For more information, see
"Privileges and Delegation" in the Integrator's Guide.

New End User UI

IDM 6.5.0 includes an End User UI based on
the Vue JavaScript framework. To facilitate customization, ForgeRock has
made the End User UI code available in the following public Git
repository:
Identity Management (End User) - UI .

You can customize the default End User UI, and create your own End User
UIs, based on the code in this Git repository.

Important

The default workflows provided with IDM have been rewritten to
use the Vue JS framework. Previously, these workflows used JQuery and
Handlebars. If your deployment includes existing workflows, you
must rewrite these to use Vue JS if you want to view
them in the new End User UI. The new UI does not support older workflow
templates that use JQuery and Handlebars.

To rewrite existing workflows for the new UI, you must have a basic
understanding of the Vue JS framework and how to create components. For
more information, see the
Vue documentation.
For an example of a workflow template written for the new UI, see
/path/to/samples/provisioning-with-workflow/workflow/contactorOnboarding.bar.
This archive file includes the workflow definition
(contactorOnboarding.bpmn20.xml) and the
corresponding JavaScript template (contractorForm.js)
to render the workflow in the new UI.

If you previously generated your workflows with a bpmn file (and never
created custom JavaScript files), the new UI will just generate these as
before and you will not have to convert them.

Keystores and Truststores now configured through the Secrets Service

The configuration keystores and truststores are now managed by a new IDM
secrets service. You can modify secrets through the secrets.json
file in your project's conf/ subdirectory. The secrets
service also supports key rotation, which means the active key may not be
what's used to decrypt information.

IDM now supports Oracle UCP as an alternative to the default
HikariCP connection pool library, solely for an Oracle DB. For more
information, see "Setting Up an Oracle DB Repository" in the Installation Guide.

JSON Standard Output Audit Event Handler

IDM now supports sending log messages to standard output in the
OSGi console.

IDM now includes a dedicated customizable notification service
that sends messages as configured. Notifications are no longer configured
in the onUpdateUser.js script, but are shown in
dedicated notification-*.json files. For more information,
see "Configuring Notifications" in the Integrator's Guide.

1.3. Product Enhancements

IDM 6.5.0.3

In Windows deployments, the IDM code has been fixed to look for jvm.dll to support
either Java 8 or Java 11. However, switching between Java 8 and Java 11 can break the Windows service.
Therefore, if you are using Java 8 and want to move to Java 11, uninstall the Windows service using
server.bat /uninstall openidm on the Java 8 installation and reinstall using server.bat /install openidm
on the Java 11 installation. For more information, see
https://backstage.forgerock.com/docs/idm/6.5/install-guide/#install-windows-service.

IDM 6.5.0.2

Signout Works Properly When Access Token has Expired

IDM 6.5.0.2 has improved the signout process to work properly when an AM access token has become
invalid or expired.

IDM 6.5.0.1

There are no product enhancements in this release, other than bug fixes.

IDM 6.5.0

This release of Identity Management software includes the following enhancements:

.NET Connector Server Now Uses WCF by Default

On Windows 10, 2012, and 2016, the .NET connector server now uses Windows
Communication Foundation (WCF) as the default WebSockets library, instead
of Vtortola. Vtortola is still the default library on Windows 2008.

Synchronization Performance Improvements

IDM now supports asynchronous (queued) synchronization for
implicit synchronization operations. For more information, see
"Queued Synchronization" in the Integrator's Guide.

Improved Connectors and Samples

The Salesforce Connector has been rewritten as a standard ICF
connector, rather than a separate IDM module. For more
information, see "Salesforce Connector" in the Connector Reference.

1.4. Security Advisories

ForgeRock issues security advisories in collaboration with our customers and
the open source community to address any security vulnerabilities
transparently and rapidly. ForgeRock's security advisory policy governs the
process on how security issues are submitted, received, and evaluated as well
as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see
Security
Advisories in the Knowledge Base library.

Chapter 2. Before You Install

This chapter covers requirements to consider before you run
ForgeRock Identity Management software, especially before you run the software in
your production environment.

If you have a special request to support a component or combination not listed
here, contact ForgeRock at info@forgerock.com.

2.1. Supported Repositories

The following repositories are supported for use in production:

ForgeRock Directory Services (DS) 6.5

By default, IDM uses an embedded
DS instance for testing purposes. The embedded instance is not
supported in production. If you want to use DS as a repository
in production, you must set up an external instance.

MySQL version 5.6 and 5.7 with MySQL JDBC Driver Connector/J 5.1.18 or
later

MariaDB version 10.0, 10.1, and 10.2 with MySQL JDBC Driver Connector/J
5.1.18 or later

Microsoft SQL Server 2012, 2014, and 2016

Warning

For deployments using Microsoft JDBC Driver 7.x for SQL Server with Java 11, see Known Issues IDM 6.5.0.3.

ForgeRock supports repositories in cloud hosted environments, such as AWS and
GKE Cloud, as long as the underlying repository is supported. In other words,
the repositories listed above are supported, regardless of how they are
hosted.

Note

These repositories may not be supported on all operating system platforms.
See documentation from repository owners for more information.

Do not mix and match versions. For example, if you're running Oracle Database
11gR2, and want to take advantage of the new support for Oracle UCP, download
driver and companion JARs for Oracle version 11gR2.

2.2. Containers

You must install IDM as a stand-alone service, using Apache Felix
and Jetty, as provided. Alternate containers are not supported.

IDM bundles Jetty version 9.2.

2.3. Supported Connectors

IDM bundles the following connectors:

Adobe CM Connector

CSV File Connector

Database Table Connector

Google Apps Connector

Groovy Connector Toolkit

This toolkit enables you to create scripted connectors to virtually any
resource.

Kerberos Connector

LDAP Connector

Marketo Connector

MongoDB Connector

Salesforce Connector

SCIM Connector

Scripted CREST Connector

Scripted REST Connector

Scripted SQL Connector

ServiceNow Connector

Scripted SSH Connector

Currently supported only as a prerequisite for the Kerberos Connector

Workday Connector

A PowerShell Connector Toolkit is available for download from the
ForgeRock BackStage download site.
This Toolkit enables you to create scripted connectors to address the
requirements of your Microsoft Windows ecosystem.

Windows versions 2008, 2012 R2, and 2016 are supported as the remote systems
for connectors and password synchronization plugins.

You must use the supported versions of the .NET Connector Server, or the Java
Connector Server. The 1.5.x Java Connector Server is backward compatible with
the version 1.1.x connectors. The 1.5.x .NET Connector Server is compatible
only with the 1.4.x and 1.5.x connectors. For more information, see
"IDM / ICF Compatibility Matrix".

The Java connector server requires Java 8 or Java 11 and is supported on any
platform on which Java runs.

Important

Although the scripted connector toolkits are supported, connectors that
you build with these toolkits are not supported. You can find examples of
how to build connectors with these toolkits in the
Samples Guide.

The following table lists the connector and connector server versions that
are supported across IDM versions. For a list of connectors supported
with this IDM release, see
"Connector Overview" in the Connector Reference. For a
list of connector releases associated with this version of IDM, see
"Connector Release Notes Overview" in the Connector Release Notes

2.6. Preparing the Java Environment

ForgeRock validates IDM software with Oracle JDK and OpenJDK,
and does occasionally run sanity tests with other JDKs. Support for very
specific Java and hardware combinations is best-effort. This means that if
you encounter an issue when using a particular JVM/hardware combination, you
must also demonstrate the problem on a system that is widespread and easily
tested by any member of the community.

ForgeRock recommends that you keep your Java installation up to date with
the latest security fixes.

Important

The clock implementation in JDK 8 is based on
System.currentTimeMillis() and supports time resolution
up to the millisecond only. JDK 11 has an enhanced system clock
implementation that provides at least the same precision as the underlying
system clock.

Precise time resolution is important for features such as queued
synchronization that rely on precise time for ordering of operations. It
is therefore recommended that you use JDK 11 for optimum performance of
these features.

If you are using Oracle JDK 8 and you use 2048-bit SSL certificates, you
must install the Unlimited JCE policy to enable
IDM to use those certificates.

Download and install the Unlimited JCE Policy for Java 8 from the Oracle
Technetwork site. Unzip the JCE zip file and install the JCE policy
JAR files in the /lib/security folder of the JRE.

2.7. Fulfilling Memory and Disk Space Requirements

When you install IDM for evaluation, with the embedded
DS repository, you need 256 MB memory (32-bit) or 1 GB memory
(64-bit) available.

You also need 10 GB free disk space for the software and for sample data.

Important

A DS repository (whether embedded or external) requires free disk
space of 5% of the filesystem size, plus 1 GB by default. To change this
requirement, set the disk-full-threshold in the DS
configuration. For more information, see Setting
Disk Space Thresholds For Database Backends in the
DS Administration Guide.

In the case of an embedded DS instance, you can manage the
configuration using the dsconfig command in
/path/to/openidm/db/openidm/opendj/bin.

In production, disk space and memory requirements will depend on the size of
your external repository, as well as the size of the audit and service log
files that IDM creates.

The amount of memory that IDM consumes is highly dependent on the
data that it holds. Queries that return large data sets will have a
significant impact on heap requirements, particularly if they are run in
parallel with other large data requests. To avoid out of memory errors,
analyze your data requirements, set the heap configuration appropriately,
and modify access controls to restrict requests on large data sets.

Chapter 3. Fixes, Limitations, and Known Issues

This chapter covers the status of key issues, limitations, and known issues for this release of
ForgeRock Identity Management. For details and
information on other issues, see the IDM
issue tracker.

3.2. Limitations

There are no limitations in functionality in this release, other than what has been specified in IDM 6.5.0.

IDM 6.5.0.2

There are no limitations in functionality in this release, other than what has been specified in IDM 6.5.0.

IDM 6.5.0.1

There are no limitations in functionality in this release, other than what has been specified in IDM 6.5.0.

IDM 6.5.0

ForgeRock Identity Management 6.5.0 has the following known limitations:

When you add or edit a connector through the Admin UI, the list of required
Base Connector Details is not necessarily accurate for
your deployment. Some of these details might be required for specific
deployment scenarios only. If you need a connector configuration where not
all the Base Connector Details are required, you must create your connector
configuration file over REST or by editing the provisioner file. For more
information, see
"Configuring Connectors" in the Integrator's Guide.

For OracleDB repositories, queries that use the queryFilter
syntax do not work on CLOB columns in explicit tables.

A conditional GET request, with the If-Match request
header, is not currently supported.

IDM provides an embedded workflow and business process engine
based on Activiti and the Business Process Model and Notation (BPMN) 2.0
standard. As an embedded system, local integration is supported. Remote
integration is not currently supported.

When using privileges, relationships are not returned in queries. This
means information that is handled as a relationship to another object
(such as roles for a managed user) will not be available.

Support for running remote connector servers with the legacy communication
protocol has been removed. Connections to remote connector servers must use
the websocket protocol.

3.3. Known Issues

IDM 6.5.0.3

Microsoft JDBC Driver 7.x for Java 11 Does Not Work with IDM 6.5.x

ForgeRock has found that the Java 11 version of the Microsoft JDBC Driver 7.x for SQL Server
(mssql-jdbc-7.2.2.jre11.jar, mssql-jdbc-7.4.1.jre11.jar) does not work with
IDM 6.5.x due to a class loading problem.

One possible workaround is to use the Java 8 version of the driver (mssql-jdbc-7.2.2.jre8.jar and
mssql-jdbc-7.4.1.jre8.jar), which we have found to work with Java 11. Note that Microsoft does not
recommend this configuration and may not support it.

If you are using Java 11 and must use the Java 11 version of the driver (mssql-jdbc-7.2.2.jre11.jar,
mssql-jdbc-7.4.1.jre11.jar), the only workaround is to update your
IDM version from 6.5.x to an upcoming major release, which fixes this issue.

IDM 6.5.0.2

There are no known issues in this release, other than those issues listed in IDM 6.5.0.

IDM 6.5.0.1

There are no known issues in this release, other than those issues listed in IDM 6.5.0.

IDM 6.5.0

The following important issues remained open at the time of this release:

OPENIDM-14099: Queued sync does not work for mappings with names longer than 38 characters (JDBC repo)

Workaround: Queued synchronization creates locks when
it acquires the mappings to process on a particular IDM node. The
length of the objectid column in the locks
table is 38 characters by default. Because the lock _id
is set to the mapping name, it can easily exceed 38 characters. You should
increase the length of this column to 255 characters.

OPENIDM-12170: Delete on managed or internal object does not return the included relationship fields that were included in the request

OPENIDM-12177: Notifications service does not work with relationship fields

OPENIDM-12109: Able to add managed object property with illegal character via Admin UI

OPENIDM-12106: Delegated Admin query filter and fields requests does not work properly with object type

OPENIDM-11536: Cannot set user password for user created through full-stack social registration

OPENIDM-11408: Paging is not working in 'Association/Data Association Management for mapping detail'.

Workaround: The JSON audit handler does not support
paging. If you use an audit audit handler that supports paging (such as the
repository or elasticsearch handlers), you will not encounter this issue.

Note that these commands do not change the alias of the default
server-cert. To customize the server-cert
alias for an embedded DS repository, define the custom alias in the
resolver/boot.properties file, for example
"openidm.config.crypto.opendj.localhost.cert=my-custom-alias".

Edit the aliases that are defined in conf/secrets.json.
For example, with the aliases specified previously:

Chapter 4. Compatibility

This chapter covers major and minor changes to existing functionality, as well
as deprecated and removed functionality. You must read this chapter before
you start a migration from a previous release.

4.1. Important Changes to Existing Functionality

Take the following changes into account when you update to IDM
6.5.0. These changes will have an impact on existing
deployments. Adjust existing scripts and clients accordingly:

IDM 6.5.0.3

There are no important changes or enhancements in functionality in this release.

IDM 6.5.0.2

There are no important changes or enhancements in functionality in this release.

IDM 6.5.0.1

There are no important changes or enhancements in functionality in this release.

IDM 6.5.0

Changes to openidm.encrypt()

The output of openidm.encrypt() has changed when using
ECB as your cipher mode (such as
AES/ECB/PKCS5Padding). This means the resulting
encrypted hash will change each time openidm.encrypt()
is run on a value. Even though the encryption result may differ each time,
openidm.decrypt() will still work.

No automated update process

The automated update process available with previous IDM versions
is no longer supported. Updating servers is now a manual process and is
described in detail in
"Updating Servers" in the Installation Guide.

Internal objects previously accessible at the repo/internal/
endpoint are now accessible at the internal/ endpoint.
For example, internal user objects are now accessible at
internal/user rather than repo/internal/user.

Note

Because this is a breaking change, additional steps are necessary when
upgrading from previous versions of IDM. For more information,
see "Changes to repo/internal".

Roles are now referred to by full path

Internal and managed roles are now referenced by their full path (for
example, openidm-authorized is now
internal/role/openidm-authorized). Support for using
role names without a full path is deprecated, and may be removed in a
later release.

DS repositories now return a null value for missing properties

Previously, embedded and external repo.ds.json files
defaulted to not returning empty properties. They now return the empty
properties with a value of null. This aligns more
closely with the behavior seen in JDBC repositories that use explicit
mappings.

If you wish to revert this behavior, change
returnNullForMissingProperties to false in the
rest2LdapOptions property in your
repo.ds.json file. For more information about the
returnNullForMissingProperties property, see
Gateway REST2LDAP
Configuration File in the DS Reference.

Notification configuration options have been removed from
onUpdateUser.js.

In addition, the following files have been removed for
IDM 6.5:

userNotifications.js

onDelete-user-cleanup.js

Change to proxy configuration for external REST service

In previous releases, configuring a proxy for the external REST service
was achieved by setting the proxySystem property in the
external.rest.json configuration file. There is now a
system-wide HTTP client configuration that includes proxy settings. For
more information, see "Configuring HTTP Clients" in the Integrator's Guide.

4.2. ICF and Connector Changes

The following ICF and connector changes will have an impact on
existing IDM deployments that use those connectors:

IDM 6.5.0.3

There are no new ICF and connector changes in this release.

IDM 6.5.0.2

There are no new ICF and connector changes in this release.

IDM 6.5.0.1

There are no new ICF and connector changes in this release.

IDM 6.5.0

Improvements to the Scripted Groovy Connectors

Connectors based on the Groovy Connector toolkit now use the
CachingSimpleTemplateEngine utility class, instead of
the SimpleTemplateEngine class.

The SimpleTemplateEngine class is prone to memory
leaks. If you have existing Groovy search scripts that use templates, you
should update them to use the new class. For example, change:

Support for the TLSv1.1 protocol has been deprecated and
will be removed in a future release. For more information, on the potential
vulnerability, see CVE-2011-3389 from the National
Vulnerability Database from the US National Institute of Standards
and Technology.

The default security protocol for IDM is TLSv1.2.
Do not downgrade this protocol to TLSv1.1 unless
necessary. For more information, see
"Setting the TLS Version" in the Integrator's Guide.

Support for oauthReturn as an endpoint for OAuth2 and
OpenID Connect standards has been deprecated for interactions with
AM and will be removed in a future release. Support has been
removed for interactions with social identity providers, as discussed
in "Removed Functionality".

Default versions of relevant configuration files no longer include
oauthReturn in the redirectUri
setting. However, for IDM 6.5, these
configuration files should still work both with and without
oauthReturn in the endpoint.

In schedule configurations, setting a time zone using the
timeZone field is deprecated. To specify a time zone for
schedules, use the startTime and
endTime fields, as described in
"Configuring Schedules" in the Integrator's Guide.

Support for the MD5 and SHA-1 hash
algorithms is deprecated and will be removed in a future release. You
should use more secure algorithms in a production environment. For a list
of supported hash algorithms, see "Encoding Attribute Values by Using Salted Hash Algorithms" in the Integrator's Guide.

The Active Directory (AD) .NET Connector is deprecated and support for its
use in IDM will be removed in a future release.

For simple Active Directory (and Active Directory LDS) deployments, the
Generic LDAP Connector works better than the Active Directory connector, in
most circumstances. For more information, see
"Generic LDAP Connector" in the Connector Reference.

For more complex Active Directory deployments, use the PowerShell Connector
Toolkit, as described in
"PowerShell Connector Toolkit" in the Connector Reference.

Note that deprecating the AD Connector has no impact on the PowerShell
connector, or on the .NET Connector Server.

When configuring connectors, (see "Configuring Connectors" in the Integrator's Guide), you can set up
nativeType property level extensions. The
JAVA_TYPE_DATE extension is deprecated.

Support for a POST request with ?_action=patch is
deprecated, when patching a specific resource. Support for a POST
request with ?_action=patch is retained, when patching
by query on a collection.

Clients that do not support the regular PATCH verb should use
the X-HTTP-Method-Override header instead.

For example, the following POST request uses the
X-HTTP-Method-Override header to patch user jdoe's
entry:

4.4. Removed Functionality

The security/realm.properties file has been removed from the installation.

IDM 6.5.0.2

No functionality has been removed in this release.

IDM 6.5.0.1

No functionality has been removed in this release.

IDM 6.5.0

Support for the TLSv1.0 protocol has been removed. For
more information, see the following PDF:
Migrating from SSL and Early TLS from the
PCI Security Standards Council.

The default security protocol for IDM is TLSv1.2.
Do not downgrade this protocol unless you have a specific need.

Support for oauthReturn as an endpoint for OAuth2 and
OpenID Connect standards has been removed for interactions with social
identity providers. It is still available for interactions with AM,
as discussed in "Deprecated Functionality".

Default versions of relevant configuration files no longer include
oauthReturn in the redirectUri
setting.

This change affects any configuration where IDM interacts as a
Relying Party with a social identity provider as an OAuth2 or an
OpenID Connect Provider. For related documentation, see
"Configuring Social Identity Providers" in the Integrator's Guide

The automated update facility has been removed. For information on updating
servers, see "Updating to IDM 6.5".

Support for the BoneCP Java database connection (JDBC) pool library has been
removed. HikariCP has been the default IDM JDBC pool library since
version 5. This affects deployments that use JDBC repositories.

Support for running remote connector servers with the legacy communication
protocol has been removed. Connections to remote connector servers must use
the websocket protocol.

Chapter 5. Updating to IDM 6.5

IDM 6.5 provides a number of new features that require
changes to an existing configuration. These changes can be broken into two
categories: changes that are required for IDM to function, and changes
that are only required if you wish to make use of these new features. Before
performing the changes laid out in this chapter, review the instructions in
"Updating Servers" in the Installation Guide.

5.1. Required Changes to IDM

The following changes are required when updating from a previous IDM
release:

5.1.1. Database Changes

There have been several changes to the database structure for IDM
repositories. Run the following scripts to upgrade your database, which can
be found in
bin/update/scripts/database-type/:

alter_internalrole.sql or
alter_internalrole.ldif

This updates the internalrole table to include
several new columns.

alter_objecttypes.sql

Previous MySQL, Oracle, and PostgreSQL database configurations had set the
objecttype column of IDM's objecttypes
table to NULL. This should be changed to NOT NULL.

Microsoft SQL and DB2 were already configured to be NOT NULL and
need no further changes. DS also needs no changes.

alter_relationships.sql

Caution

This script removes a column from the relationships
table. We recommend making a backup of your repository prior to running
this file.

This removes the properties column from the
relationships table. IDM gets relationship
properties from the fullobject column, making the
properties column unnecessary.

alter_uinotification.sql

This updates the uinotification table to adjust the
column length for createDate.

create_indices.sql

(PostgreSQL only) This creates an index for reconid in
the genericobjects table, and adds indices for several
fields in the clusterobjects table.

migrate_metaobjects.sql

Caution

This script deletes meta data from the genericobjects
table after migrating that data to new tables. We recommend making
a backup of your repository prior to running this file.

This creates two new tables, metaobjects and
metaobjectproperties, then moves user meta data from
genericobjects into these two tables.

The number of scripts found in this directory may vary depending on the
database you are using. Scripts not listed above are optional, and relate
to enabling or configuring specific features in IDM. These will be
referenced in the steps for enabling that particular feature in "Enabling New Features in IDM".

5.1.1.1. Removal of Property Tables in PostgreSQL

Note

This section only applies if you are using PostgreSQL for your repository,
and is optional. It should not harm anything to leave these tables in your
repository, but it is recommended to remove them for the sake of keeping
your database clean.

If you are using PostgreSQL, the following tables previously used to store
property data are no longer needed, and may be removed:

openidm.genericobjectproperties

openidm.managedobjectproperties

openidm.configobjectproperties

openidm.relationshipproperties

openidm.schedulerobjectproperties

openidm.clusterobjectproperties

openidm.updateobjectproperties

Since dropping tables from your database is destructive, it is strongly
recommended that you back up your database before performing this action.

If you are using your old repo.jdbc.json configuration,
references to these tables will need to be removed. For example, the updated
resource mapping for the config object table removes the
propertiesTable property and would now be:

"config" : {
"mainTable" : "configobjects"
},

5.1.2. Configuration Changes

The following changes to your configuration are required:

5.1.2.1. Changes for the New Secrets Service

The IDM 6 version of boot.properties
may not be supported in the next release. Therefore, you should review the
differences as described in "Configuration Options in secrets.json" in the Integrator's Guide as
soon as possible.

5.1.2.1.1. Secrets Service Updates to boot.properties

When comparing the boot.properties files from
IDM 6 and IDM 6.5, you'll
note differences based on the new secrets service:

Keystore and Truststore information (such as
openidm.truststore.type or
openidm.keystore.password) are no longer stored in
boot.properties. This information has been moved to
conf/secrets.json.

Cryptographic settings such as openidm.config.crypto.alias
have been moved to conf/secrets.json.

5.1.2.1.2. Secrets Service Updates to managed.json

In the IDM 6 version of managed.json
file, you'll see the following entry related to user password encryption:

"key" : "openidm-sym-default"

For the IDM 6.5 version of managed.json,
this entry has changed to:

"purpose" : "idm.password.encryption"

You can now define idm.password.encryption in the new
secrets.json file.

5.1.2.2. Changes to repo/internal

Internal objects are no longer stored in repo/internal,
and are now accessed via the internal endpoint. If you
are updating from a previous release of IDM, you must update existing
references to repo/internal to the new endpoint.

References to repo/internal in existing
configuration files need to be changed to internal. The
following files must be updated:

authentication.json

The authModules of STATIC_USER and
INTERNAL_USER need to update their
queryOnResource value from
repo/internal/user to internal/user.

managed.json

The managed user's authzRoles "Internal Role" resource
collection should change its path from
repo/internal/role to internal/role.

policy.json

The resource of repo/internal/user/*
should change to internal/user/*.

router.json

One filter pattern needs to be updated:
(managed|system|repo/internal)($|(/.)) should change to
(managed|system|internal)($|(/.).

One filter pattern needs to be deleted: the
repo/internal/user((/.)|$) pattern is no longer
required and should be deleted from router.json.

Run the removeRepoPathFromRelationships
endpoint. This will update any existing relationships to remove
repo/ from internal roles:

Note

5.1.2.3. Changes to Internal Roles and Internal Users

There have been updates to the internal schema for internal roles and users,
which require updating existing entries in your repository. To update these
internal roles and internal users, run the
updateInternalUserAndInternalRoleEntries endpoint:

Note

5.1.2.4. Changes to Conditional Roles

The way in which conditional roles are granted to new users has changed. Previously,
conditional roles were granted as part of the onCreate script. This
functionality was achieved with the following configuration of the user
object (in conf/managed.json):

Conditional role grants are now achieved internally within the IDM backend. To ensure
that an updated deployment continues to work as designed, remove the following from all
onCreate scripts in your existing managed.json file:

5.1.2.5. Changes to repo.jdbc.json

The following fields can be removed from existing repo.jdbc.json
files when upgrading from a previous version:

The properties field of the relationships
object has been removed when using generic resource mappings. The object
path to this field is
/resourceMapping/genericMapping/relationships/properties.

5.1.2.6. Enabling HikariCP

HikariCP is the new default IDM Java database connection (JDBC)
pool library. If you are using a JDBC repository, adjust
datasource.jdbc-default.json to use
hikari instead of boneCP for
the connectionPool type:

5.1.2.8. Changes to the redirectUri for Social Identity Providers

If you've configured a social identity provider for a previous version of
IDM, you'll need to update the redirectUri for
the provider, by removing the oauthReturn/ from the
URL, in two locations:

identityProvider-name.json

In the configuration file named for the identity provider, such as
identityProvider-google.json.

When configuring your identity provider

When you configure your identity provider, look for an entry such as
Redirect or Return URL. You'll
need to update the value corresponding to the IDM
redirectUri on the social identity provider
developer (or similar) page.

For example, for IDM 6, you'll have a redirectUri
such as:

http://idm.example.com:8080/oauthReturn/

In this case, you'd change the value of redirectUri to:

http://idm.example.com:8080/

5.1.2.9. Updating logging.properties

Recent security fixes prevent Jetty from logging sensitive data, such as
passwords. Verify that your conf/logging.properties
file includes the following excerpt (and add the excerpt if necessary) to
prevent unnecessary data from being logged:

# Logs the output from Jetty
# Sets the following Jetty classes to INFO level by default because if logging is set to FINE or higher,
# sensitive information can be leaked into the logs
org.eclipse.jetty.server.HttpChannel.level=INFO
org.eclipse.jetty.server.HttpConnection.level=INFO
org.eclipse.jetty.server.HttpInput.level=INFO
org.eclipse.jetty.http.HttpParser.level=INFO
org.eclipse.jetty.io.ssl.SslConnection.level=INFO

This configuration logs request data at INFO level,
preventing data such as password changes from being logged. In situations
where you need to log all data (for example, if you are
debugging an issue in a test environment) change the settings here to
FINE or FINEST. For example:

5.2. Enabling New Features in IDM

If you are updating from a previous IDM release, read this section
and follow the steps required for each feature that you want to enable in
the updated deployment.

5.2.1. Enabling Queued Synchronization

IDM now supports queued synchronization, which allows you to queue
implicit synchronization activity on actions that would otherwise trigger an
immediate implicit synchronization. Several changes are necessary to turn this
feature on when updating from a previous version of IDM:

Updating Databases and Configurations for Queued Synchronization

Update your IDM database to add the new syncqueue
and locks tables by running either
create_syncqueue.sql or
create_syncqueue.ldif (depending on your database type),
which can be found in
bin/update/scripts/database-type/.

Update your repository configuration files to include the new
locks and sync/queue mappings in the
explicitMapping resource map. For
repo.jdbc.json, add:

5.2.2. Enabling Privileges

Privileges are a new feature of internal roles, which allow for delegating
certain administrative privileges to users, without needing to assign a full
administrator role. An example where this may be useful is for support
personnel who may need the ability to manage users, but shouldn't be
able to manage other aspects of IDM:

Before proceeding further, ensure you have run the required database
scripts referenced in "Database Changes".

Update your repo.jdbc.json or repo.ds.json
files to include temporal constraints and privileges for internal roles:

Note

If you already have custom access rules, take a moment to assess these
rules before trying to apply new privileges. Any custom access rules
created in access.js will be applied before
privileges are considered, which may prevent the new privileges from
being correctly applied.

Note

The ownIDP()customAuthz script
referenced is broad by default, to accommodate any social identity
providers you may use. For a production deployment, this should be
replaced with ownRelationship()customAuthz scripts, applied to each of the specific
social identity providers you intend to use. For example, if you wish to
enable Google and Facebook as social identity providers, the
managed/* pattern calling ownIDP()
should be changed to:

5.2.3. Enabling Dynamic Role Calculation

To enable dynamically recalculating role assignments without requiring the
user to log out and back in, open authentication.json,
and enable the enableDynamicRoles property in the
JWT_SESSION session module:

"enableDynamicRoles" : true

This will also enable privileges on internal roles, but can be used as its
own feature even if you do not plan to use privileges.

Note

If your IDM instance has a large number of role assignments,
performance may be impacted by enabling this feature.

5.2.4. Adding Thread IDs to Log Messages

IDM can now include the thread ID for the thread generating a log
message, which can help when debugging. To enable this feature, open
logging.properties and adjust the
ConsoleHandler and FileHandler
formatters to use ThreadIdLogFormatter:

5.2.7. Enabling Oracle UCP

Oracle UCP is a connection pool designed to cache JDBC connections. For
IDM 6.5, it is an alternative to HikariCP for
Oracle DB, as described in "Setting Up an Oracle DB Repository" in the Installation Guide.
If you want to use Oracle UCP for IDM 6.5 instead
of HikariCP, take the following steps:

Find any custom settings that you created in your current
datasource.jdbc-default.json file.

Find the datasource.jdbc-ucp-oracle.json file in
the /path/to/openidm/db/oracle/conf directory, and
modify that file as needed for compatibility.

The section describing the configuration of workflows has been changed
("Enabling Workflows" in the Integrator's Guide).
The mail parameter of the Activiti engine is currently
not supported (see
OPENIDM-11370).

Added a scripting step to clear the reconprogressstate
column from the genericobjects table in the
repository after the update process. For more information, see
"Upgrade Your Existing Repository" in the Installation Guide.

Appendix A. Release Levels and Interface Stability

This appendix includes ForgeRock definitions for product release levels
and interface stability.

A.1. ForgeRock Product Release Levels

ForgeRock defines Major, Minor, Maintenance, and Patch product release levels.
The release level is reflected in the version number.
The release level tells you what sort of compatibility changes to expect.

Release Level Definitions

Release Label

Version Numbers

Characteristics

Major

Version: x[.0.0] (trailing 0s are optional)

Bring major new features, minor features, and bug fixes

Can include changes even to Stable interfaces

Can remove previously Deprecated functionality,
and in rare cases remove Evolving functionality
that has not been explicitly Deprecated

Include changes present in previous Minor and Maintenance releases

Minor

Version: x.y[.0] (trailing 0s are optional)

Bring minor features, and bug fixes

Can include backwards-compatible changes to Stable interfaces
in the same Major release,
and incompatible changes to Evolving interfaces

Can remove previously Deprecated functionality

Include changes present in previous Minor and Maintenance releases

Maintenance, Patch

Version: x.y.z[.p]

The optional .p reflects a Patch version.

Bring bug fixes

Are intended to be fully compatible with previous versions
from the same Minor release

A.2. ForgeRock Product Interface Stability

ForgeRock products support many protocols, APIs, GUIs,
and command-line interfaces.
Some of these interfaces are standard and very stable.
Others offer new functionality that is continuing to evolve.

ForgeRock acknowledges that you invest in these interfaces,
and therefore must know when and how ForgeRock expects them to change.
For that reason, ForgeRock defines interface stability labels
and uses these definitions in ForgeRock products.

Interface Stability Definitions

Stability Label

Definition

Stable

This documented interface is expected to undergo
backwards-compatible changes only for major releases.
Changes may be announced at least one minor release before they take effect.

Evolving

This documented interface is continuing to evolve
and so is expected to change,
potentially in backwards-incompatible ways even in a minor release.
Changes are documented at the time of product release.

While new protocols and APIs are still in the process of standardization,
they are Evolving.
This applies for example to recent Internet-Draft implementations,
and also to newly developed functionality.

Deprecated

This interface is deprecated
and likely to be removed in a future release.
For previously stable interfaces,
the change was likely announced in a previous release.
Deprecated interfaces will be removed from ForgeRock products.

Removed

This interface was deprecated in a previous release
and has now been removed from the product.

Technology Preview

Technology previews provide access to new features that are
evolving new technology that are not yet supported. Technology preview
features may be functionally incomplete and the function as implemented
is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW
INTO A PRODUCTION ENVIRONMENT.

Customers are encouraged to test drive the technology preview features
in a non-production environment and are welcome to make comments and
suggestions about the features in the associated forums.

ForgeRock does not guarantee that a technology preview feature will be
present in future releases, the final complete version of the feature is
liable to change between preview and the final version. Once a technology
preview moves into the completed version, said feature will become part
of the ForgeRock platform. Technology previews are provided on an
“AS-IS” basis for evaluation purposes only and ForgeRock accepts no
liability or obligations for the use thereof.

Internal/Undocumented

Internal and undocumented interfaces can change without notice.
If you depend on one of these interfaces, contact ForgeRock support
or email info@forgerock.com
to discuss your needs.

Appendix B. Getting Support

For more information and resources about IDM and ForgeRock
support, see the following sections:

B.1. Accessing Documentation Online

ForgeRock publishes comprehensive documentation online:

The ForgeRock
Knowledge Base
offers a large and increasing number of up-to-date, practical articles
that help you deploy and manage ForgeRock software.

While many articles are visible to community members,
ForgeRock customers have access to much more,
including advanced information for customers using ForgeRock software
in a mission-critical capacity.

ForgeRock product documentation, such as this document,
aims to be technically accurate and complete
with respect to the software documented.
It is visible to everyone and covers all product features
and examples of how to use them.

B.2. Using the ForgeRock.org Site

The
ForgeRock.org site
has links to source code for ForgeRock open source software,
as well as links to the ForgeRock forums and technical blogs.

If you are a ForgeRock customer,
raise a support ticket instead of using the forums.
ForgeRock support professionals will get in touch to help you.

B.3. Getting Support and Contacting ForgeRock

ForgeRock provides support services, professional services, training through
ForgeRock University, and partner services to assist you in setting up and
maintaining your deployments.
For a general overview of these services, see
https://www.forgerock.com.

ForgeRock has staff members around the globe who support our international
customers and partners. For details on ForgeRock's support offering, including
support plans and service level agreements (SLAs), visit
https://www.forgerock.com/support.